GDPR Lisianne Marzani December 1, 2017

Waterline’s Handy Dandy Summary of GDPR: Chapter 3

Today, we continue a series of blog posts that summarize how each of the GDPR articles may affect your business. These summaries can serve as an additional resource for those who need a quick and easy explanation.

We kicked this series off with Chapter 1. This week, we resume with Chapter 3.

CHAPTER 3: Rights of the Data Subject

All the articles in Chapter 3 elaborate on the rights of the “data subject,” or the person located in the EU whose data is being handled by a controller, processor or recipient.

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

This discusses how the controller must explain how a person’s data is being used in clear and plain language and that the controller must answer any questions a subject might have about how their data is being treated within 1 to 3 months, depending on how complex the question is. If the question is unreasonable, the controller can either charge a fee or refuse to act as long as it can demonstrate the request was excessive.

Article 13: Information to be provided where personal data are collected from the data subject

This specifies that when data is collected, the controller must provide the data subject with information including the controller’s identity and contact info, the purposes for the processing, any other recipients that may be handling the data, and the amount of time the data would be stored. The controller also has to inform data subjects of their rights, including the right to access the data held by the organization and the right to have data erased.

Article 14: Information to be provided where personal data have not been obtained from the data subject

This pertains to when data has not been collected directly from the data subject. In this case, the controller is still required to provide much of the same information to data subjects about who has their data and how it’s being used.

Article 15: Right of access by the data subject

This specifies the kind of information data subjects can request and access about the processing of their data, including information about the purpose of the processing, the categories of data, and all recipients of the data—including third countries or international organizations. In the case of the latter, the data subject can inquire about the data protection safeguards in place by those organizations.

Article 16: Right to rectification

This article explains the data a subject can demand be corrected without any delay including any inaccurate data that concerns them.

Article 17: Right to erasure (‘right to be forgotten’)

This is a big one you’ve no doubt read about. Here, it specifies that people can request erasure of their data without delay. Article 17 does list some conditions, including allowing organization to keep data as long as it is no longer needed for its original purpose. And the article cannot be invoked in instances where the data is being processed to serve the public interest. But its overall scope is open to a number of interpretations, which is one of the reasons why so much has been written about it.

That said, some of the other articles discussed here, like Article 15 about the right of access and article 16 the right to rectification are likely to cause more work for organizations than article 17. We anticipate that more people will care about making sure data held about them is correct than there will be people who just want it completely removed. Regardless, while this topic is good for the press, the other areas of GDPR compliance are more likely to impact the organization.

Article 18: Right to restriction of processing

This enumerates grounds for people to restrict processing of their data—at least for a period—including instances when data accuracy or legality is disputed.

Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 19 merely states the controller must inform all data recipients that have received data about a data subject when that data subject requests rectification, erasure or restriction of processing.  This is a big deal because the implication here is that your organization doesn’t only have to track the downstream use of data but also have a process in place to inform those down stream users of a data subject’s request.  In our experience, this is a non-trivial problem because it means you have to carefully subject data, its location and its lineage. 

Article 20: Right to data portability

This explains that when people request access to their personal data, the controller must provide it in a “structured, commonly used and machine-readable format.”   Basically, you can’t just dump some unreadable log file on them.  You have to put some thought into how you present the information so it is understandable.

Article 21: Right to object

This states that people can challenge whether their data is being processed for the benefit of public interest or other “legitimate” interests. The controller must then demonstrate compelling grounds for processing in the name of these interests. Digital marketers beware: article 21 also gives people the right to restrict the processing of their data for the purposes of direct marketing. Bottom line is that this article is meant to protect individuals from an organization claiming legitimate interest without really having any. Clearly, they wanted to avoid some clever lawyer hiding inside this potential loophole.

Article 22: Automated individual decision-making, including profiling

This explains that controllers are prohibited from using automated processing or profiling activity that can have discriminatory, legal or other significant personal ramifications for data subjects unless it’s required to fulfill the data subject/controller contract, authorized by Union or Member State law, or based on explicit consent. GDPR defines profiling as automated processing of personal data pertaining to a person’s “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” What GDPR is trying to protect people from are machine-based decisions that can have profound negative impacts on their lives. Under this article, people are given reasonable recourse to human intervention when necessary to ensure proper fairness.

(Note here for all of you data geeks: We aren’t talking about “data profiling” in the sense of analyzing data values to identify data quality anomalies.  We are talking about profiling that is similar to what some police departments are accused of doing—e.g., targeting minorities at traffic stops.)

Article 23: Restrictions

This explains the data subject rights put forth in Chapter 3 can be overridden in the name of national security, public safety, and general public interest, but even in these cases, controllers must inform data subjects of all the particulars—what data is being processed, for what purpose, the storage periods, safeguards in place, etc.

For the full text of GDPR: Chapter 3, go to:

After you finish reading that article in detail, or perhaps even before, check out how Waterline Data can resolve a key challenge in complying with GDPR by helping you identify and understanding everything you need to know about your data, including origin:

Next: Chapter 4.